You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by David Wall <d....@computer.org> on 2004/02/09 17:06:47 UTC

Re: TC 5 production use -- iptables to make it work without root

> Only for port redirection you don't need to buy any hardware.
> If you are running tomcat inside a linux box, you can configure iptables
> to do the port redirection. Everything via software, no hardware.
>
> Vitor

You are absolutely correct.  In fact, I've abandoned JSVC precisely because
I can do this.  This is great because not only do you need the extra JSVC,
but you don't need to start as root at all.

For example, here are the iptables rules I use under RH 9 to effect what
Vitor is saying:

(If you're using the /etc/rc.d/init.d/iptables script, this is the control
file for it -- of course, you could do this "manually" by simply putting the
command 'iptables' in front of these lines and assuming that your INPUT
chain jumps to the YOZONS-BPN-INPUT )

-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK
SYN -j ACCEPT
-A YOZONS-BPN-INPUT -p tcp -m tcp --dport 8443 --tcp-flags SYN,RST,ACK
SYN -j ACCEPT

The above lines are assuming you block all access to your system except for
what you let in.  This allows the INPUT packets to come in on the standard
ports of 80 and 443 (only 443 if you need HTTPS) as well as the "tomcat"
ports of 8080 and 8443.

Then, using the NAT commands (on iptables table "-t nat") to do port
redirecting:

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

This maps the production ports to the tomcat listening ports.

In your tomcat server.xml file, continue to use the 8080/8443 Connector
ports, and if you need 8080 to redirect to SSL, I'd suggest you redirect to
443 (the standard port).  You could have it redirect to 8443, but then the
8443 will appear in all your URLs and if your visitors have an egress
firewall, they likely won't be able to reach your system, so it looks like:

    <Connector port="8080"
               maxThreads="20" minSpareThreads="10" maxSpareThreads="10"
               enableLookups="false" redirectPort="443" acceptCount="100"
               debug="0" connectionTimeout="20000"
               disableUploadTimeout="true" maxPostSize="100000000" />


Good luck,
David


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: TC 5 production use -- iptables to make it work without root

Posted by David Wall <d....@computer.org>.

> I'm curious, why don't you use Apache and JK
> connector?
>
> Evgeny Gesin

We currently do, but we're creating a new simpler version for smaller
offices and corporate departmental computing.  The fewer running parts the
better, and the fewer things that need to be patched going forward, the
easier to troubleshoot, etc..  Apache has lots of capabilities that are not
in Tomcat, and some believe that doing SSL in Apache, even with the added
overhead of the JK, is more efficient.  It's even nice when Apache runs on a
front-end web server connected to the Internet and Tomcat runs on a backend
app server that's not directly connected to the Internet.

However, if Tomcat does everything you need, it's a good platform.  By
running it as a normal user, the idea of starting/stopping as 'root' and
having to deal with Apache's security issues (nothing bad, but every
component connected is another component that can be exploited) makes things
simpler for our end customers.

There's nothing wrong with Apache+JK in my opinion.

David


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: TC 5 production use -- iptables to make it work without root

Posted by Evgeny Gesin <ev...@yahoo.com>.

I'm curious, why don't you use Apache and JK
connector?

Evgeny Gesin


--- David Wall <d....@computer.org> wrote:
> You are absolutely correct.  In fact, I've abandoned
> JSVC precisely because
> I can do this.  This is great because not only do
> you need the extra JSVC,
> but you don't need to start as root at all.
> 
> For example, here are the iptables rules I use under
> RH 9 to effect what
> Vitor is saying:
> 
> (If you're using the /etc/rc.d/init.d/iptables
> script, this is the control
> file for it -- of course, you could do this
> "manually" by simply putting the
> command 'iptables' in front of these lines and
> assuming that your INPUT
> chain jumps to the YOZONS-BPN-INPUT )
> 
> -A YOZONS-BPN-INPUT -p tcp -m tcp --dport 80
> --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
> -A YOZONS-BPN-INPUT -p tcp -m tcp --dport 443
> --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
> -A YOZONS-BPN-INPUT -p tcp -m tcp --dport 8080
> --tcp-flags SYN,RST,ACK
> SYN -j ACCEPT
> -A YOZONS-BPN-INPUT -p tcp -m tcp --dport 8443
> --tcp-flags SYN,RST,ACK
> SYN -j ACCEPT
> 
> The above lines are assuming you block all access to
> your system except for
> what you let in.  This allows the INPUT packets to
> come in on the standard
> ports of 80 and 443 (only 443 if you need HTTPS) as
> well as the "tomcat"
> ports of 8080 and 8443.
> 
> Then, using the NAT commands (on iptables table "-t
> nat") to do port
> redirecting:
> 
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT
> --to-ports 8443
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 8080
> 
> This maps the production ports to the tomcat
> listening ports.
> 
> In your tomcat server.xml file, continue to use the
> 8080/8443 Connector
> ports, and if you need 8080 to redirect to SSL, I'd
> suggest you redirect to
> 443 (the standard port).  You could have it redirect
> to 8443, but then the
> 8443 will appear in all your URLs and if your
> visitors have an egress
> firewall, they likely won't be able to reach your
> system, so it looks like:
> 
>     <Connector port="8080"
>                maxThreads="20" minSpareThreads="10"
> maxSpareThreads="10"
>                enableLookups="false"
> redirectPort="443" acceptCount="100"
>                debug="0" connectionTimeout="20000"
>                disableUploadTimeout="true"
> maxPostSize="100000000" />
> 
> 
> Good luck,
> David

__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org